It is critical that every user is using secure passwords to
authenticate himself at systems like TYPO3. Below are rules that
should be implemented in a password policy:

Ensure that the passwords you use have a minimum length of 9 or more
characters.

Passwords should have a mix of upper and lower case letters, numbers
and special characters.

Passwords should not be made up of personal information such as names,
nick names, pet’s names, birthdays, anniversaries, etc.

Passwords should not be made out of common words that can be found in
dictionaries.

Do not store passwords on Post-it notes, under your desk cover, in
your wallet, unencrypted on USB sticks or somewhere else.

Always use a different password for different logins! Never use the
same password for your e-mail account, the TYPO3 backend, an online
forum and so on.

Change your passwords in regular intervals but not too often (this
would make remembering the correct password too difficult) and avoid
to re-use the last 10 passwords.

Do not use the “stay logged in” feature on websites and do not store
passwords in applications like FTP clients. Enter the password
manually every time you log in.

A good rule for a secure password would be that a search engine such
as Google should deliver no results if you would search for it. Please
note: do not determine your passwords by this idea – this is an
example only how cryptic a password should be.

Another rule is that you should not choose a password that is too
strong either. This sounds self-contradictory but most people will
write down a password that is too difficult to remember – and this is
against the rules listed above.

In a perfect world you should use “trusted” computers, only. Public
computers in libraries, internet cafés, and sometimes even computers
of work colleagues and friends can be manipulated (with or without the
knowledge of the owner) and log your keyboard input.